To bypass nftables/PacketFilter firewall filtering rules, transmit the ICMP/ICMPv6 packet vulnerability details the on-vulnerability warning-the black bar safety net

ID MYHACK58:62201994072
Type myhack58
Reporter 佚名
Modified 2019-05-09T00:00:00


Background knowledge introduction Currently the firewall has a total of four categories: Packet filtering firewall: packet filtering firewall does not check data area, a packet filtering firewall does not establish a connection State table before and after the packet-independent, application-layer control is very weak. Application Gateway firewall: do not check IP, TCP header, does not establish a connection State table, the network layer protection is relatively weak. Stateful inspection firewall: do not check data area, the establishment of a connection State table before and after the packet-related, application-layer control is very weak. Composite type firewall: you can check the entire contents of the packet, according to the need to establish a connection State table, the network layer protection strong, application-layer control fine, the session control is weak. What is the PacketFilter package filtering for? Packet filtering is a built-in Linux kernel routing function on the type of Firewall, which firewall works at the network layer. Traditional packet filtering function on the router often see, and dedicated Firewall system is generally on top of this added functionality of the extension, such as state detection, etc., it by checking a single packet address, Protocol, port and other information to decide whether to allow this packet through. Packet filter the internal hosts and external hosts, the filtration system is a router or a host. The filter system according to the filtering rules to decide whether to let the packet through. Used to filter the data packet router is referred to as filtering router. Information packet filtered Packet filtering through the packet's IP header and the TCP header or UDP header inspection to achieve, the main information are: · IP source address · IP destination address · Protocol, TCP packet, UDP packets and ICMP packets · TCP or UDP packet's source port · TCP or UDP packet's destination port · ICMP message type · The TCP header of the ACK bit · Packet arrives at the port · Packet out of the port In TCP/IP, there are some standard service port number, such as, HTTP port number is 80. By shielding a particular port may prohibit a specific service. Packet filtering system may be blocking the internal host and an external host computer or an additional network connection between, for example, can be blocked some are considered hostile or untrusted host or network connected to the internal network. Filter implementation Packet filtering is generally used to filter the router to achieve this the router and ordinary router vary. A normal router only checks the destination address of the packet, and selects one to reach the destination address of the best path. It handles the data packet based on a destination address basis, there are two possibilities: if the router can find a path to reach the destination address then sent out; if the router does not know how to send the data packet is the notification packet to the sender of the“data package not up.” Filtering router will more carefully examine the packet, in addition to the decision whether the destination address of the path, but also to decide whether it should send the packet.“ It should be or not”is determined by the router's filtering policy decision and enforcement. What is the nftables for? nftables is the new packet classification framework, the new linux firewall administration program, designed to replace the existing {ip,ip6,arp,eb}_tables it. In a nutshell: 1. It is in the Linux kernel version higher than 3.13 shall be used; 2. It has a new command-line tool ntf, its syntax and iptables are different; 3. It also contains a compatibility layer to let you in the new nftables kernel framework running on top of the iptables command; 4. It provides a common set of basis allows you to build mapping and Association. You can use this new feature to put your rule set classification to multi-dimensional tree, which greatly reduces the find the package of the final acts before the need to check the rule number; nftables features 1. With some advanced similar programming language capabilities, such as the definition of the variables and contains the external file, i.e. with the use of additional scripting capabilities, nftables can also be used for a variety of address clusters of filtering and processing. 2. Unlike iptables, nftables does not contain any of the built-in Table. The administrator decides which tables and add those tables to the processing rules. 3. The table contains the rule chain rule chain contains rules. Synacktiv the company's network security experts in the firewall implementation of the security assessment, observed a strange firewall behavior, it might affect the multiple IP stack vulnerabilities. This paper analyzes the Linux nftables and OpenBSD PacketFilter potential behavior, is how to form a bypass nftables/PacketFilter firewall filtering rules, transmit the ICMP/ICMPv6 packet vulnerability? At first, Synacktiv the company's network security experts believe this attack is their first discovery, but after they found that in 2004 security expert Fernando Gont also published an article the how to detect your IPv6 address components are vulnerable to attack on the article, in the article he in this article, explored IPv6 the different components of the How will be based on the ND attack. However, this article has limitations in that it did not determine such an attack is not happening in the Packet Filter and nftables. ICMP and ICMPv6 ICMP and ICMPv6 is the Internet the main support for the protocols, which is for the connectivity test and the data packet does not reach the destination when the error signal and design. Receives the ICMP message allows the application to understand the cause of the failure, such as a data packet is too large, there is no available route, and so on. ICMP message From the Protocol itself, ICMPv6 and IPv4-based ICMP Protocol has undergone great changes, are two different protocols, so in order to distinguish between the two, based on the IPv6 ICMP Protocol we use ICMPv6 to name, the Protocol identification number is 58. While the ICMP generally refers to the traditional IPv4 under the agreement. While the ICMP Protocol we most commonly used functions than the Ping, which is the network engineer to determine the fault or problem of the first step. ICMPv6 is the IPv6 very important to the basic Protocol in IPv6, many of the underlying mechanisms is by ICMPv6 are defined and completed, for example, address collision detection, address resolution and stateless auto-acquisition, and so on. ICMPv6 defines a variety of message types and mechanisms to achieve these functions. In the IPv6 header, NextHeader=58 then indicates the IPv6 header after the encapsulation of an ICMPv6 message. ! ICMPv6 messages have two categories: error messages and information messages. ! And ICMP as ICMPv6 is still used to pass error information and a network failure diagnosis. ICMP V6 in addition to the basic error of the feedback and information control functions, but also including some use the ICMPV6 mechanism, such as path MTU discovery PDM mechanism, the PDM mechanism by sending the length of the growing packet reaches the destination node, when a given data packet length exceeds the reach the destination node on the path's smallest MTU, the packet will be dropped, and sends a packet too big message to the source, so the source address of the node will know which path minimum MTU is how much. For different purposes, ICMPv6 feedback message can be used to type and code are identified, each identity has a different meaning, for example, the ICMP will feedback the following message: 1. Echo reply and request types 1 and 8; and 2. Unable to reach the destination(type 3);

[1] [2] [3] next